In the first breach that seems to have hit both adults and children at the same time interactive toy maker VTech has confirmed hackers have accessed private data including names, email addresses, and passwords as well as some mailing addresses and download history. The company claims that no credit card data was stolen but it seems that multiple headshots of parents and children are now in the wild due to the breach.

An anonymous researcher discovered a trivial exploit that allowed them to export over 4 million individual parent records and about 280,000 child records. Further, the researcher found over 2.3 million headshots – 190GB worth – on the server. The photos came from parents who were encouraged to take pictures while setting up some VTech toys but it is not clear if these are connected to specifically user accounts. Motherboard has seen a selection of these. The researcher explained they used an SQL injection to dump data from the VTech servers and that the entire process was trivial and could have been performed by actual hackers in the wild. This means the breached data could be available publicly.

Like most breaches there is very little actual information about where the data has gone. However, security researcher Troy Hunt was able to confirm that the data did come from a number of VTech customers and that it does reflect some version of the company’s customer database. Further, he confirmed that there were 4,833,678 parent records in the dump as well as 227,622 child records.

“There are 227,622 records in those five CSV files and yes, [the] columns are exactly what they look like – names, birth dates and genders, among other things,” he wrote. The security flaws are manifold, said Hunt.

“This is all discoverable by using their websites precisely as they were intended to be used which on the one hand means that it’s easily obtainable information by anyone yet on the other, means that they could also have readily identified a whole raft of flaws themselves if only they’d looked,” he said. “For example, there is no SSL anywhere. All communications are over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted. These days, we’re well beyond the point of arguing this is ok – it’s not. Those passwords will match many of the parent’s other accounts and they deserve to be properly protected in transit.”

The researcher could not tell if others have access to this data. Like most breaches, it is nearly impossible to tell the scope because the very tools that could be used to assess scope were missing or faulty in the first place.

The company released a statement confirming that no payment details were stolen. They have create emails to request further information regarding the breach.

Upon discovering the unauthorized access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks.